Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy Security

Academic Research Finds Five US Telcos Vulnerable To SIM Swapping Attacks (zdnet.com) 17

A Princeton University academic study found that five major US prepaid wireless carriers are vulnerable to SIM swapping attacks. From a report: A SIM swap is when an attacker calls a mobile provider and tricks the telco's staff into changing a victim's phone number to an attacker-controlled SIM card. This allows the attacker to reset passwords and gain access to sensitive online accounts, like email inboxes, e-banking portals, or cryptocurrency trading systems. All last year, Princeton academics spent their time testing five major US telco providers to see if they could trick call center employees into changing a user's phone number to another SIM without providing proper credentials. According to the research team, AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless were found to be using vulnerable procedures with their customer support centers, procedures that attackers could use to conduct SIM swapping attacks. In addition, the research team also looked at 140 online services and websites and analyzed on which of these attackers could employ a SIM swap to hijack a user's account. According to the research team, 17 of the 140 websites were found to be vulnerable.
This discussion has been archived. No new comments can be posted.

Academic Research Finds Five US Telcos Vulnerable To SIM Swapping Attacks

Comments Filter:
  • by DigitAl56K ( 805623 ) on Monday January 13, 2020 @12:19PM (#59616108)

    I'll make a similar post here to one I made a couple of days back: Major companies and services should stop using phone numbers for account recovery. Google whines at you if you don't have a recovery phone number. Some companies use a phone number as their 2FA. Signal uses your phone number as your account, in fact you can't even use the desktop app without one.

    I've had friends whose Google accounts and social media were all taken over thanks to SIM hijacking. We shouldn't base security on a model where the more of a target you are, the weaker the security -- i.e. at some point you get interesting enough for someone to dial up a carrier and then everything falls over.

    • We have a problem where we don't want to be tracked and monitored. But we also want to know the services that we use are only using our account for the services we have purchased.

      Login Names and Passwords suck. As they are often easily guessed and cracked, while difficult for the user to keep track of them. So they will often use the same password.

      Login Name Password + Secondary Authentication (Random Token) while much better, offer more hassle for the end user.

      Bio-metrics offer less hassle for the end us

      • Re:Identity Problem. (Score:4, Interesting)

        by 140Mandak262Jamuna ( 970587 ) on Monday January 13, 2020 @03:52PM (#59617096) Journal
        Identification is not authentication.

        In the non digital world my name is just my identification. Its my signature on a document that is authentication.

        Biometrics are good for identification. We should assume everyone will know your biometric data. It is unmutable. Building the entire authentication frame work where only the good guys will have your biometric data is stupid. Assume criminals will be able to have access to you biometrics. What then?

    • Google and Facebook will let you use U2F keys. This is the correct way to go on security. I should not have to give out my phone number to single web site. The U2F key is working great and is an affordable solution. Now the stupid thing is, Google and FB are more secure than my damn bank(s). Go figure.

    • There is a reason things are going that way, people's phone is something they rely on, so if it gets hijacked, at least they will notice and do something about it. This makes it more reliable than a made-up credential that nobody actually cares about, like a password to a social media site.

      It's easy to say "don't rely on that, it's not perfect," but pointless without proposing something better.

      • Things aren't going that way, things started out that way because phone numbers are something that was just there, and there isn't enough push to change the model. SIM hijacking is devastating to those who fall victim, but there aren't enough victims for someone to fix the problem.

  • OK for 2FA (Score:4, Interesting)

    by enriquevagu ( 1026480 ) on Monday January 13, 2020 @12:44PM (#59616200)

    Just wanted to highlight that phone-based authentication, when combined with another mechanism (e.g. a password) in a two-factor authentication system, actually increases the security of the initial mechanism alone (the password). With the phone support in 2FA, an attacker needs to both obtain the password and perform the SIM swapping trick.

    However, phone-based authentication should be completely forbidden as a password-recovery mechanism, since it lowers the security of the mechanism, essentially making the password useless. I bet this use is very common...

    • by Anonymous Coward

      Yeah. Google keeps pressuring me to assign a phone number to my account. No way.

    • Just wanted to highlight that phone-based authentication, when combined with another mechanism (e.g. a password) in a two-factor authentication system, actually increases the security of the initial mechanism alone (the password).

      Yes and this allows people to get lazy and reuse their pwned passwords, making it essentially a single factor authentication system again. Is there a Jevons Paradox of passwards?

    • That's debatable.

      If you're involved in a databreach that reveals your account name, phone number, and a password that can be recovered, the _only_ remaining factor is your 2FA, meaning it's no harder than compromising one factor at this point.

  • AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless were found to be using vulnerable procedures with their customer support centers, ...

    So... Everyone by Sprint. US Mobile is a MVNO [wikipedia.org] that uses T-Mobile and Verizon for its host network.

    And, to be picky, TFS should have said US-operated carriers. T-Mobile (and, technically, Sprint) is owned by a foreign company and TracFone [wikipedia.org] is a subsidiary of Mexico's largest telecommunications company, América Móvil,

    • by Anonymous Coward

      T-Mobile US is part owned by DT, but it's mostly owned by ordinary shareholders on the US stock markets

      Sprint is wholly owned by Softbank, so I'm not sure why you're suggesting it's only "technically" foreign but T-Mobile is unambiguously so.

  • by MattMann ( 102516 ) on Monday January 13, 2020 @12:48PM (#59616240)

    being able to swap a SIM from one phone to another is the whole point of SIMs, and it's good for the consumer.

    the telco's hate it because it means they have to face competition. Solution? let's create a dangerous hacking trope called "SIM swapping!" we need to ban SIM swapping!

    • by guruevi ( 827432 )

      If it were a physical SIM this would be one thing, the problem here is virtual SIM's that have no cryptographic or any form of ownership protection (as with any consumer 'chip' tech, it was developed and broken in the 90's).

      What you need is to avoid channels that are not encrypted under complete user control. Eg. iMessage or WhatsApp is encrypted end-to-end with presumably no control by the middle man. But SMS is plain text OTA, no wonder it gets compromised.

  • by 140Mandak262Jamuna ( 970587 ) on Monday January 13, 2020 @12:51PM (#59616254) Journal
    ... Once the attacker tricks the Telco helpcenter staff into installing ...

    Once that is done, a lot more than SIM switch attack can happen.

  • by stabiesoft ( 733417 ) on Monday January 13, 2020 @02:53PM (#59616820) Homepage
    The security lapse is the human factor, not some technical issue. The attacker convinces a person that they need help and the customer service rep helps them. I recall a friend who had a godaddy account. She convinced the customer support person over the phone she was the account holder even though she lost the password, did not know the CC number assigned to the account, or frankly anything about the account. There is nothing you can do to fix that problem as I know way more people like her than me. I would have wanted godaddy to have tough love and say sorry, can't help you.I am hoping that my cell provider sticks to the secondary authorization I have on my account and would tell anyone, including me, to pound sand if I want to make a change without it. Or as a minimum, show up in person to a store and show a DL to the rep. The convenience of not needing to physically show up somewhere to make changes and simply being able to make changes over the phone by whimpering enough is the fundamental problem.
  • by TheNarrator ( 200498 ) on Monday January 13, 2020 @05:27PM (#59617478)

    Google has no customer service and two factor authentication, so you can be safe against sim swap attacks generally.

"Success covers a multitude of blunders." -- George Bernard Shaw

Working...